In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long
is copied into a variable called query_string, which is at most 2048
bytes. As this is done using strcpy, the stack can be overwritten
which leads to arbitrary command execution.

Note that one can easily find out whether dproxy is running
using the fpdns tool (see http://www.rfc.se/fpdns/). dproxy also
seems to be used in a number of WLAN access points / routers, but
the version used there (at least in the Linksys WRT54AG, the Asus
WL500g and the Netgear DG834G) seems to be dproxy-nexgen, which is not
vulnerable to this attack.

Thanks to Dan Kaminsky, who provided me with the interesting statistics
that apparently only 20 out of about 2.000.000 DNS servers he scanned
are using dproxy. So this does not look like a major attack vector.